Refactor using Tauri (#278)

apps/gpauth/Cargo.toml

@@ -0,0 +1,23 @@
+[package]
+name = "gpauth"
+version.workspace = true
+edition.workspace = true
+license.workspace = true
+
+[build-dependencies]
+tauri-build = { version = "1.5", features = [] }
+
+[dependencies]
+gpapi = { path = "../../crates/gpapi", features = ["tauri"] }
+anyhow.workspace = true
+clap.workspace = true
+env_logger.workspace = true
+log.workspace = true
+regex.workspace = true
+serde_json.workspace = true
+tokio.workspace = true
+tokio-util.workspace = true
+tempfile.workspace = true
+webkit2gtk = "0.18.2"
+tauri = { workspace = true, features = ["http-all"] }
+compile-time.workspace = true

apps/gpauth/build.rs

@@ -0,0 +1,3 @@
+fn main() {
+  tauri_build::build()
+}

apps/gpauth/index.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>GlobalProtect Login</title>
+</head>
+<body>
+  <p>Redirecting to GlobalProtect Login...</p>
+</body>
+</html>

apps/gpauth/src/auth_window.rs

@@ -0,0 +1,449 @@
+use std::{
+  rc::Rc,
+  sync::Arc,
+  time::{Duration, Instant},
+};
+
+use anyhow::bail;
+use gpapi::{
+  auth::SamlAuthData,
+  portal::{prelogin, Prelogin},
+  utils::{redact::redact_uri, window::WindowExt},
+};
+use log::{info, warn};
+use regex::Regex;
+use tauri::{AppHandle, Window, WindowEvent, WindowUrl};
+use tokio::sync::{mpsc, oneshot, RwLock};
+use tokio_util::sync::CancellationToken;
+use webkit2gtk::{
+  gio::Cancellable,
+  glib::{GString, TimeSpan},
+  LoadEvent, URIResponse, URIResponseExt, WebContextExt, WebResource, WebResourceExt, WebView,
+  WebViewExt, WebsiteDataManagerExtManual, WebsiteDataTypes,
+};
+
+enum AuthDataError {
+  /// 1. Found auth data in headers/body but it's invalid
+  /// 2. Loaded an empty page, failed to load page. etc.
+  Invalid,
+  /// No auth data found in headers/body
+  NotFound,
+}
+
+type AuthResult = Result<SamlAuthData, AuthDataError>;
+
+pub(crate) struct AuthWindow<'a> {
+  app_handle: AppHandle,
+  server: &'a str,
+  saml_request: &'a str,
+  user_agent: &'a str,
+  clean: bool,
+}
+
+impl<'a> AuthWindow<'a> {
+  pub fn new(app_handle: AppHandle) -> Self {
+    Self {
+      app_handle,
+      server: "",
+      saml_request: "",
+      user_agent: "",
+      clean: false,
+    }
+  }
+
+  pub fn server(mut self, server: &'a str) -> Self {
+    self.server = server;
+    self
+  }
+
+  pub fn saml_request(mut self, saml_request: &'a str) -> Self {
+    self.saml_request = saml_request;
+    self
+  }
+
+  pub fn user_agent(mut self, user_agent: &'a str) -> Self {
+    self.user_agent = user_agent;
+    self
+  }
+
+  pub fn clean(mut self, clean: bool) -> Self {
+    self.clean = clean;
+    self
+  }
+
+  pub async fn open(&self) -> anyhow::Result<SamlAuthData> {
+    info!("Open auth window, user_agent: {}", self.user_agent);
+
+    let window = Window::builder(&self.app_handle, "auth_window", WindowUrl::default())
+      .title("GlobalProtect Login")
+      .user_agent(self.user_agent)
+      .focused(true)
+      .visible(false)
+      .center()
+      .build()?;
+
+    let window = Arc::new(window);
+
+    let cancel_token = CancellationToken::new();
+    let cancel_token_clone = cancel_token.clone();
+
+    window.on_window_event(move |event| {
+      if let WindowEvent::CloseRequested { .. } = event {
+        cancel_token_clone.cancel();
+      }
+    });
+
+    let window_clone = Arc::clone(&window);
+    let timeout_secs = 15;
+    tokio::spawn(async move {
+      tokio::time::sleep(Duration::from_secs(timeout_secs)).await;
+      let visible = window_clone.is_visible().unwrap_or(false);
+      if !visible {
+        info!("Try to raise auth window after {} seconds", timeout_secs);
+        raise_window(&window_clone);
+      }
+    });
+
+    tokio::select! {
+      _ = cancel_token.cancelled() => {
+        bail!("Auth cancelled");
+      }
+      saml_result = self.auth_loop(&window) => {
+        window.close()?;
+        saml_result
+      }
+    }
+  }
+
+  async fn auth_loop(&self, window: &Arc<Window>) -> anyhow::Result<SamlAuthData> {
+    let saml_request = self.saml_request.to_string();
+    let (auth_result_tx, mut auth_result_rx) = mpsc::unbounded_channel::<AuthResult>();
+    let raise_window_cancel_token: Arc<RwLock<Option<CancellationToken>>> = Default::default();
+
+    if self.clean {
+      clear_webview_cookies(window).await?;
+    }
+
+    let raise_window_cancel_token_clone = Arc::clone(&raise_window_cancel_token);
+    window.with_webview(move |wv| {
+      let wv = wv.inner();
+
+      // Load the initial SAML request
+      load_saml_request(&wv, &saml_request);
+
+      let auth_result_tx_clone = auth_result_tx.clone();
+      wv.connect_load_changed(move |wv, event| {
+        if event == LoadEvent::Started {
+          let Ok(mut cancel_token) = raise_window_cancel_token_clone.try_write() else {
+            return;
+          };
+
+          // Cancel the raise window task
+          if let Some(cancel_token) = cancel_token.take() {
+            cancel_token.cancel();
+          }
+          return;
+        }
+
+        if event != LoadEvent::Finished {
+          return;
+        }
+
+        if let Some(main_resource) = wv.main_resource() {
+          let uri = main_resource.uri().unwrap_or("".into());
+
+          if uri.is_empty() {
+            warn!("Loaded an empty uri");
+            send_auth_result(&auth_result_tx_clone, Err(AuthDataError::Invalid));
+            return;
+          }
+
+          info!("Loaded uri: {}", redact_uri(&uri));
+          read_auth_data(&main_resource, auth_result_tx_clone.clone());
+        }
+      });
+
+      wv.connect_load_failed_with_tls_errors(|_wv, uri, cert, err| {
+        let redacted_uri = redact_uri(uri);
+        warn!(
+          "Failed to load uri: {} with error: {}, cert: {}",
+          redacted_uri, err, cert
+        );
+        true
+      });
+
+      wv.connect_load_failed(move |_wv, _event, uri, err| {
+        let redacted_uri = redact_uri(uri);
+        warn!("Failed to load uri: {} with error: {}", redacted_uri, err);
+        send_auth_result(&auth_result_tx, Err(AuthDataError::Invalid));
+        // true to stop other handlers from being invoked for the event. false to propagate the event further.
+        true
+      });
+    })?;
+
+    let portal = self.server.to_string();
+    let user_agent = self.user_agent.to_string();
+
+    loop {
+      if let Some(auth_result) = auth_result_rx.recv().await {
+        match auth_result {
+          Ok(auth_data) => return Ok(auth_data),
+          Err(AuthDataError::NotFound) => {
+            info!("No auth data found, it may not be the /SAML20/SP/ACS endpoint");
+
+            // The user may need to interact with the auth window, raise it in 3 seconds
+            if !window.is_visible().unwrap_or(false) {
+              let window = Arc::clone(window);
+              let cancel_token = CancellationToken::new();
+
+              raise_window_cancel_token
+                .write()
+                .await
+                .replace(cancel_token.clone());
+
+              tokio::spawn(async move {
+                let delay_secs = 1;
+
+                info!("Raise window in {} second(s)", delay_secs);
+                tokio::select! {
+                  _ = tokio::time::sleep(Duration::from_secs(delay_secs)) => {
+                    raise_window(&window);
+                  }
+                  _ = cancel_token.cancelled() => {
+                    info!("Raise window cancelled");
+                  }
+                }
+              });
+            }
+          }
+          Err(AuthDataError::Invalid) => {
+            info!("Got invalid auth data, retrying...");
+
+            window.with_webview(|wv| {
+              let wv = wv.inner();
+              wv.run_javascript(r#"
+                  var loading = document.createElement("div");
+                  loading.innerHTML = '<div style="position: absolute; width: 100%; text-align: center; font-size: 20px; font-weight: bold; top: 50%; left: 50%; transform: translate(-50%, -50%);">Got invalid token, retrying...</div>';
+                  loading.style = "position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(255, 255, 255, 0.85); z-index: 99999;";
+                  document.body.appendChild(loading);
+              "#,
+                  Cancellable::NONE,
+                  |_| info!("Injected loading element successfully"),
+              );
+            })?;
+
+            let saml_request = portal_prelogin(&portal, &user_agent).await?;
+            window.with_webview(move |wv| {
+              let wv = wv.inner();
+              load_saml_request(&wv, &saml_request);
+            })?;
+          }
+        }
+      }
+    }
+  }
+}
+
+fn raise_window(window: &Arc<Window>) {
+  let visible = window.is_visible().unwrap_or(false);
+  if !visible {
+    if let Err(err) = window.raise() {
+      warn!("Failed to raise window: {}", err);
+    }
+  }
+}
+
+pub(crate) async fn portal_prelogin(portal: &str, user_agent: &str) -> anyhow::Result<String> {
+  info!("Portal prelogin...");
+  match prelogin(portal, user_agent).await? {
+    Prelogin::Saml(prelogin) => Ok(prelogin.saml_request().to_string()),
+    Prelogin::Standard(_) => Err(anyhow::anyhow!("Received non-SAML prelogin response")),
+  }
+}
+
+fn send_auth_result(auth_result_tx: &mpsc::UnboundedSender<AuthResult>, auth_result: AuthResult) {
+  if let Err(err) = auth_result_tx.send(auth_result) {
+    warn!("Failed to send auth event: {}", err);
+  }
+}
+
+fn load_saml_request(wv: &Rc<WebView>, saml_request: &str) {
+  if saml_request.starts_with("http") {
+    info!("Load the SAML request as URI...");
+    wv.load_uri(saml_request);
+  } else {
+    info!("Load the SAML request as HTML...");
+    wv.load_html(saml_request, None);
+  }
+}
+
+fn read_auth_data_from_headers(response: &URIResponse) -> AuthResult {
+  response.http_headers().map_or_else(
+    || {
+      info!("No headers found in response");
+      Err(AuthDataError::NotFound)
+    },
+    |mut headers| match headers.get("saml-auth-status") {
+      Some(status) if status == "1" => {
+        let username = headers.get("saml-username").map(GString::into);
+        let prelogin_cookie = headers.get("prelogin-cookie").map(GString::into);
+        let portal_userauthcookie = headers.get("portal-userauthcookie").map(GString::into);
+
+        if SamlAuthData::check(&username, &prelogin_cookie, &portal_userauthcookie) {
+          return Ok(SamlAuthData::new(
+            username.unwrap(),
+            prelogin_cookie,
+            portal_userauthcookie,
+          ));
+        }
+
+        info!("Found invalid auth data in headers");
+        Err(AuthDataError::Invalid)
+      }
+      Some(status) => {
+        info!("Found invalid SAML status: {} in headers", status);
+        Err(AuthDataError::Invalid)
+      }
+      None => {
+        info!("No saml-auth-status header found");
+        Err(AuthDataError::NotFound)
+      }
+    },
+  )
+}
+
+fn read_auth_data_from_body<F>(main_resource: &WebResource, callback: F)
+where
+  F: FnOnce(AuthResult) + Send + 'static,
+{
+  main_resource.data(Cancellable::NONE, |data| match data {
+    Ok(data) => {
+      let html = String::from_utf8_lossy(&data);
+      callback(read_auth_data_from_html(&html));
+    }
+    Err(err) => {
+      info!("Failed to read response body: {}", err);
+      callback(Err(AuthDataError::Invalid))
+    }
+  });
+}
+
+fn read_auth_data_from_html(html: &str) -> AuthResult {
+  if html.contains("Temporarily Unavailable") {
+    info!("Found 'Temporarily Unavailable' in HTML, auth failed");
+    return Err(AuthDataError::Invalid);
+  }
+
+  match parse_xml_tag(html, "saml-auth-status") {
+    Some(saml_status) if saml_status == "1" => {
+      let username = parse_xml_tag(html, "saml-username");
+      let prelogin_cookie = parse_xml_tag(html, "prelogin-cookie");
+      let portal_userauthcookie = parse_xml_tag(html, "portal-userauthcookie");
+
+      if SamlAuthData::check(&username, &prelogin_cookie, &portal_userauthcookie) {
+        return Ok(SamlAuthData::new(
+          username.unwrap(),
+          prelogin_cookie,
+          portal_userauthcookie,
+        ));
+      }
+
+      info!("Found invalid auth data in HTML");
+      Err(AuthDataError::Invalid)
+    }
+    Some(status) => {
+      info!("Found invalid SAML status {} in HTML", status);
+      Err(AuthDataError::Invalid)
+    }
+    None => {
+      info!("No auth data found in HTML");
+      Err(AuthDataError::NotFound)
+    }
+  }
+}
+
+fn read_auth_data(main_resource: &WebResource, auth_result_tx: mpsc::UnboundedSender<AuthResult>) {
+  if main_resource.response().is_none() {
+    info!("No response found in main resource");
+    send_auth_result(&auth_result_tx, Err(AuthDataError::Invalid));
+    return;
+  }
+
+  let response = main_resource.response().unwrap();
+  info!("Trying to read auth data from response headers...");
+
+  match read_auth_data_from_headers(&response) {
+    Ok(auth_data) => {
+      info!("Got auth data from headers");
+      send_auth_result(&auth_result_tx, Ok(auth_data));
+    }
+    Err(AuthDataError::Invalid) => {
+      info!("Found invalid auth data in headers, trying to read from body...");
+      read_auth_data_from_body(main_resource, move |auth_result| {
+        // Since we have already found invalid auth data in headers, which means this could be the `/SAML20/SP/ACS` endpoint
+        // any error result from body should be considered as invalid, and trigger a retry
+        let auth_result = auth_result.map_err(|_| AuthDataError::Invalid);
+        send_auth_result(&auth_result_tx, auth_result);
+      });
+    }
+    Err(AuthDataError::NotFound) => {
+      info!("No auth data found in headers, trying to read from body...");
+      read_auth_data_from_body(main_resource, move |auth_result| {
+        send_auth_result(&auth_result_tx, auth_result)
+      });
+    }
+  }
+}
+
+fn parse_xml_tag(html: &str, tag: &str) -> Option<String> {
+  let re = Regex::new(&format!("<{}>(.*)</{}>", tag, tag)).unwrap();
+  re.captures(html)
+    .and_then(|captures| captures.get(1))
+    .map(|m| m.as_str().to_string())
+}
+
+pub(crate) async fn clear_webview_cookies(window: &Window) -> anyhow::Result<()> {
+  let (tx, rx) = oneshot::channel::<Result<(), String>>();
+
+  window.with_webview(|wv| {
+    let send_result = move |result: Result<(), String>| {
+      if let Err(err) = tx.send(result) {
+        info!("Failed to send result: {:?}", err);
+      }
+    };
+
+    let wv = wv.inner();
+    let context = match wv.context() {
+      Some(context) => context,
+      None => {
+        send_result(Err("No webview context found".into()));
+        return;
+      }
+    };
+    let data_manager = match context.website_data_manager() {
+      Some(manager) => manager,
+      None => {
+        send_result(Err("No data manager found".into()));
+        return;
+      }
+    };
+
+    let now = Instant::now();
+    data_manager.clear(
+      WebsiteDataTypes::COOKIES,
+      TimeSpan(0),
+      Cancellable::NONE,
+      move |result| match result {
+        Err(err) => {
+          send_result(Err(err.to_string()));
+        }
+        Ok(_) => {
+          info!("Cookies cleared in {} ms", now.elapsed().as_millis());
+          send_result(Ok(()));
+        }
+      },
+    );
+  })?;
+
+  rx.await?.map_err(|err| anyhow::anyhow!(err))
+}

apps/gpauth/src/cli.rs

@@ -0,0 +1,138 @@
+use clap::Parser;
+use gpapi::{
+  auth::{SamlAuthData, SamlAuthResult},
+  utils::{normalize_server, openssl},
+  GP_USER_AGENT,
+};
+use log::{info, LevelFilter};
+use serde_json::json;
+use tauri::{App, AppHandle, RunEvent};
+use tempfile::NamedTempFile;
+
+use crate::auth_window::{portal_prelogin, AuthWindow};
+
+const VERSION: &str = concat!(
+  env!("CARGO_PKG_VERSION"),
+  " (",
+  compile_time::date_str!(),
+  ")"
+);
+
+#[derive(Parser, Clone)]
+#[command(version = VERSION)]
+struct Cli {
+  server: String,
+  #[arg(long)]
+  saml_request: Option<String>,
+  #[arg(long, default_value = GP_USER_AGENT)]
+  user_agent: String,
+  #[arg(long)]
+  hidpi: bool,
+  #[arg(long)]
+  fix_openssl: bool,
+  #[arg(long)]
+  clean: bool,
+}
+
+impl Cli {
+  async fn run(&mut self) -> anyhow::Result<()> {
+    let mut openssl_conf = self.prepare_env()?;
+
+    self.server = normalize_server(&self.server)?;
+    // Get the initial SAML request
+    let saml_request = match self.saml_request {
+      Some(ref saml_request) => saml_request.clone(),
+      None => portal_prelogin(&self.server, &self.user_agent).await?,
+    };
+
+    self.saml_request.replace(saml_request);
+
+    let app = create_app(self.clone())?;
+
+    app.run(move |_app_handle, event| {
+      if let RunEvent::Exit = event {
+        if let Some(file) = openssl_conf.take() {
+          if let Err(err) = file.close() {
+            info!("Error closing OpenSSL config file: {}", err);
+          }
+        }
+      }
+    });
+
+    Ok(())
+  }
+
+  fn prepare_env(&self) -> anyhow::Result<Option<NamedTempFile>> {
+    std::env::set_var("WEBKIT_DISABLE_COMPOSITING_MODE", "1");
+
+    if self.hidpi {
+      info!("Setting GDK_SCALE=2 and GDK_DPI_SCALE=0.5");
+
+      std::env::set_var("GDK_SCALE", "2");
+      std::env::set_var("GDK_DPI_SCALE", "0.5");
+    }
+
+    if self.fix_openssl {
+      info!("Fixing OpenSSL environment");
+      let file = openssl::fix_openssl_env()?;
+
+      return Ok(Some(file));
+    }
+
+    Ok(None)
+  }
+
+  async fn saml_auth(&self, app_handle: AppHandle) -> anyhow::Result<SamlAuthData> {
+    let auth_window = AuthWindow::new(app_handle)
+      .server(&self.server)
+      .user_agent(&self.user_agent)
+      .saml_request(self.saml_request.as_ref().unwrap())
+      .clean(self.clean);
+
+    auth_window.open().await
+  }
+}
+
+fn create_app(cli: Cli) -> anyhow::Result<App> {
+  let app = tauri::Builder::default()
+    .setup(|app| {
+      let app_handle = app.handle();
+
+      tauri::async_runtime::spawn(async move {
+        let auth_result = match cli.saml_auth(app_handle.clone()).await {
+          Ok(auth_data) => SamlAuthResult::Success(auth_data),
+          Err(err) => SamlAuthResult::Failure(format!("{}", err)),
+        };
+
+        println!("{}", json!(auth_result));
+      });
+      Ok(())
+    })
+    .build(tauri::generate_context!())?;
+
+  Ok(app)
+}
+
+fn init_logger() {
+  env_logger::builder().filter_level(LevelFilter::Info).init();
+}
+
+pub async fn run() {
+  let mut cli = Cli::parse();
+
+  init_logger();
+  info!("gpauth started: {}", VERSION);
+
+  if let Err(err) = cli.run().await {
+    eprintln!("\nError: {}", err);
+
+    if err.to_string().contains("unsafe legacy renegotiation") && !cli.fix_openssl {
+      eprintln!("\nRe-run it with the `--fix-openssl` option to work around this issue, e.g.:\n");
+      // Print the command
+      let args = std::env::args().collect::<Vec<_>>();
+      eprintln!("{} --fix-openssl {}\n", args[0], args[1..].join(" "));
+    }
+
+    std::process::exit(1);
+  }
+}

apps/gpauth/src/main.rs

@@ -0,0 +1,9 @@
+#![cfg_attr(not(debug_assertions), windows_subsystem = "windows")]
+
+mod auth_window;
+mod cli;
+
+#[tokio::main]
+async fn main() {
+  cli::run().await;
+}

apps/gpauth/tauri.conf.json

@@ -0,0 +1,47 @@
+{
+  "$schema": "https://cdn.jsdelivr.net/gh/tauri-apps/tauri@tauri-v1.5.0/tooling/cli/schema.json",
+  "build": {
+    "distDir": [
+      "index.html"
+    ],
+    "devPath": [
+      "index.html"
+    ],
+    "beforeDevCommand": "",
+    "beforeBuildCommand": "",
+    "withGlobalTauri": false
+  },
+  "package": {
+    "productName": "gpauth",
+    "version": "0.0.0"
+  },
+  "tauri": {
+    "allowlist": {
+      "all": false,
+      "http": {
+        "all": true,
+        "request": true,
+        "scope": [
+          "http://**",
+          "https://**"
+        ]
+      }
+    },
+    "bundle": {
+      "active": true,
+      "targets": "deb",
+      "identifier": "com.yuezk.gpauth",
+      "icon": [
+        "icons/32x32.png",
+        "icons/128x128.png",
+        "icons/128x128@2x.png",
+        "icons/icon.icns",
+        "icons/icon.ico"
+      ]
+    },
+    "security": {
+      "csp": null
+    },
+    "windows": []
+  }
+}